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Abstract 

Quantum Key Distribution is a secret distribution technique that requires an authenti- 
cated channel. This channel is usually created on top of an un-authenticated communica- 
tion medium using unconditionally secure Message Authentication Codes (MAC) and an 
initial common secret. We examine the consequences of replacing this MAC algorithm by 
a cryptographic hash-based signature algorithm, like the Lamport algorithm, and show 
that in practical settings it results in an increase of the security of QKD and ease its 
deployment. 



1 QKD, session authentication, and Digital Signatures 

Quantum Key Distribution (QKD) is a way to create shared and secret random values 
at both ends of a communication link, with a security guaranteed without computational 
hardness assumptions ISBpC^OO] . It requires however a classical authenticated channel, 
together with an untrusted 'quantum' channel (usually realized with an optical fiber or an 
free space optical transmission). This authenticated channel can be realized on top of an 
un-authenticated network connection using cryptographic primitives. The natural choice 
for these primitives is to use symmetric, unconditionally secure Message Authentication 
Codes like Wegman-Carter |WC81j . Evaluation Hash jMV84j or LFSR-based Toeplitz 
|Kra94j . Being symmetric, these primitives require a common secret; this is not a problem 
as soon as enough secret is created by the QKD link, but it is an undesirable constraint 
for the first run, as it forces the user to dispatch securely a common secret at both ends 
of the link. A very common argument against QKD is that, instead of exchanging a short 
common secret and using QKD to amplify it, one may as well exchange initially a very 
large secret and use it in place of the QKD output; the latter solution is easily realized 
thanks to the very low current price of storage. While this argument is not entirely 
correct it is desirable to have alternatives to the pre-sharing of a common secret. 

Another argument against methods based on a common secret is that they are very 
hard to operate securely in practice. Indeed, the right way to implement them would be 
to store the secret on a device providing hardware security like a smart card (acting as a 
safe for the secret), but for this to be of interest the whole authentication tag computation 
needs to be performed inside the secure device. Unfortunately, the complete computation 

^Indeed, QKD is forward secure, which means that each key produced is completely independent of past 
values; as a consequence, even an attacker having at some point in time a complete knowledge of the equipment 
state including its secrets, does not learn anything about future keys in a passive attack scenario. Contrary to 
the hard disk scenario where a one-time compromise is enough to obtain all the keys, QKD forces the attacker 
to perform a persistent active attack in order to obtain new keys, with a much higher risk of being detected. 
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by a smart card of an authentication tag for a large set of messages corresponding to a 
QKD protocol run, typically consisting of several megabits, is unpractical. The secret 
must therefore be allowed to go out of the secure device; but then the very purpose of the 
secure device is defeatecH. 

Mitigation measures include enabling the secret to go out of the secure device only in a 
trusted environment, with a mechanism to authenticate the latter to the secure device like 
a pin code, or splitting the secret into several parts handled by independent parties, but 
the overall security assurance provided by these techniques does not compare favorably to 
the one offered by the resistance of cryptographic primitives, even computationally secure. 

Asymmetric cryptographic primitives which are used to negotiate keys in classical 
cryptography protocols usually employ computationally secure authentication means that 
are themselves asymmetric, that is, digital signature algorithms. A common combination 
(normalized as ISO 9798-3 |IS098j ) is to use the Signed Difhe-Hellman algorithm, where a 
Difhe-Hellman key exchange is authenticated with digital signatures. The QKD protocol 
and the Diffie-Hellman algorithm are very similar in function, in that they both enable to 
create common secret values if a way to authenticate messages is available, although the 
security guarantees they provide differ. Digital signatures require the communicating par- 
ties to exchange public keys in an authentic way, contrary to symmetric MAC algorithms 
which require a common secret value. This is a huge improvement because it is much eas- 
ier to ensure that a value is authentic than it is to guarantee its secrec}!!. This is because 
a message alteration can be uncovered anytime after it occurred, whereas preventing a 
loss of secrecy requires the perfect continuity of the protecting measures. Together with 
the invention of Public Key Infrastructures, this is what sparkled the success of public-key 
cryptography. 

Similarly to the case of Difhe-Hellman, it is appealing to use an asymmetric signature 
algorithm to authenticate the first run of a pair of QKD equipments. Of course, doing 
this makes the QKD security depend on the strength of the signing algorithm, which 
reintroduces the very computational hardness assumptions QKD is supposed to be free 
of. 

In realistic deployments of QKD however, it will not be used stand-alone, encrypt- 
ing traffic using one-time pad, and ensuring its integrity using unconditionally secure 
Message Authentication Codes, but rather together with computationally secure sym- 
metric encryption and authentication algorithms built on top of symmetric ciphers like 
the Advanced Encryption Standard (AES) [FlPOlj : in that setting, hardness assumptions 
are required to ensure the confidentiality and integrity of the user traffic, and therefore 
it makes sense to investigate the relationship between these assumptions and the ones 
backing the security of asymmetric signature algorithms. 

The existence of secure symmetric cryptography (stream ciphers, block ciphers, and 
hash functions) is equivalent to the existence of one-way functions, that is, functions easy 
to compute and hard to invert. Indeed, block ciphers are pseudorandom permutations, i.e. 
permutations indexed by a key which are computationally indistinguishable from random 
permutations when the key is secret; stream ciphers are pseudorandom number generators; 
and hash functions are collision, 1***- and 2°'^-preimage resistant function^. One-way 

^Oiic could think of a 2-stage scheme where the secure device authenticates a small digest of the message, 
but this can only be made secure in the computational sense: it must not be possible to find collisions for the 
function that transforms the message into the digest, and such collisions exist since the digest is smaller than 
the message. 

^When there are more than two users, the separation of the key in a public and a private part also reduces 
the number of keys to distribute, since the same private-public key pair can be used to authenticate to several 
parties, the public part being distributed to all of them. In the point-to-point setting of QKD however, we are 
not concerned by this property. 

"^a function is ri,*'^-preimage resistant if it is difficult to compute a n**^ preimage of a value x given n — 1 
different prcimages of x. 
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functions existence is known to be equivalent to the existence of pseudo-random number 
generators |HILL93] . to the existence of pseudorandom functions |GGM86] and to the 
existence of pseudorandom permutations |LR88j . One-wayness is exactly I'^^-preimage 
resistance; it is implied by 2'^'^-preimage resistance which is in turn implied by collision 
resistance; see |RS04j . There is no reverse implication, however a collision resistant, 
length-reducing function can be constructed from a one-way function |Rom90j . Hence 
2'^'^-preimage resistant or collision resistant functions exist iff one-way functions exist. 

It is expected that one-way functions do exist, although this conjecture, implying the 
famous conjecture P ^ NP, is not likely to be proven in the near futur^. What happens 
in a world with quantum computers? Although some number-theory-based constructions 
used in asymmetric cryptography collapse, one-way functions may very well still exist. All 
we know is that with a quantum computer, key sizes for symmetric cryptography have to 
be doubled to retain the same security because of the Grover quantum algorithm enabling 
exhaustive search with square root complexity |Gro96] . 

Of course, the practical situation is more complex, since even if one-way functions and 
secure symmetric cryptography exist, it is not known whether the symmetric primitives 
used today are good approximations of their idealized counterparts. In fact, symmetric 
ciphers and cryptographic hash functions like the SHA family [FlPOSj . do not seem to 
rely on a small family of well-identified hypotheses of hardness of simple mathematical 
problems, unlike asymmetric algorithm^. This lack of structure has two consequences: 
there is no provable security reduction between symmetric algorithms, but conversely their 
security is not likely to collapse because of some sudden theoretical advance. In fact, the 
last 30 years of cryptanalytic progress showed that the security of symmetric primitives 
of early designs like DES |FIP99j or hashing functions like SHAl tend to erode slowly 
rather than abruptly, and that more mature designs (the AES competition contenders, 
the SIIA2 family) exhibit a very good resistance to cryptanalysis. 

It turns out that a family of signature algorithms, Lamport signatures |Lam79j . and 
their derivatives, only require a function / with f^^-preimage resistance (i.e. a one-way 
function) and a function with collision resistance g (which could be built from a one- 
way function as stated above jll. Let us sum up the properties of QKD when the public 
channel authentication is realized with the help of Lamport signatures. If the underlying 
functions /, g are indeed f^^-preimage resistant and collision resistant, then naturally the 
combination has the same security properties than QKD with unconditional authentica- 
tion methods. This includes unconditional forward secrecy. But the security properties 
of /, g need to last only as long as the (first) authenticated session itself: hence unlike the 
classical encryption setting where ciphertexts may be recorded for later decryption, only 
the attacks known at the moment of the QKD run, and that can be performed within the 
timeframe of a QKD session, are relevant. 

In the rest of this paper, we investigate in details this solution, examine some variants 
and discuss the security properties obtained. 

^for a general presentation of these issues, see chapter 9 of |MvOV96] . and in particular remark 9.12 

^For instance, the RSA hypothesis - related to, and not stronger than factoring - for RSA |RSA78| . the 

discrete logarithm in finite fields or elliptic curves for DSA/ECDSA [FIP09[ IJM99j and Schnorr Signatures 

|Sch90] ■ or related problems like the Computational Diffie-Hellman problem, etc. 

^This is why the existence of one-way functions implies the existence of digital signatures, which is the main 

result of jRom90) . 
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2 Lamport Signatures 



2.1 Description 

For this paragraph, the main reference is the chapter 3 of the book 

Lamport signatures are n x i-h'it strings, where n and i are chosen according to the 
security requirements as explained in section [231 

As usual for digital signatures, a message to be signed is first transformed into a fixed- 
length string, its digest, by a collision-resistant hash function g : {0, 1}* — )• {0, 1}^. The 
rest of the algorithm uses a preimage-resistant function / : {0, 1}" — t- {0, 1}". 

The public key consists in 2i values yi[j] = f{xi[j]), i = 0, . . . ,£ — 1, j = 0,1. The 
values Xi[j] are the private key of the algorithm and are chosen uniformly at random. 

The signature of a message M of digest m = g{M) = niQ, . . . ,mg-\ is the bit string 
2^o["^o]) 2;i [mi], . . . ,Xn-i[mi^i\. It is of size n x i. 

The signature check of a signature sq, . . . , S£^i is performed by verifying that /(sj) = 
yi[mi] for i = 0, 1. 



2.2 The Case of QKD; one-time Signatures Usability 

The Lamport algorithm is not widely used because a key pair can only sign one message. 
Indeed, its security degrades very quickly when several messages are signed with the same 
key pair: this is to be expected since a signature is really just a part of the private key. 
More precisely, given k signatures of messages whose digests are m^, i = 0, . . . ,i — 1, 
j = 0, . . . ,k — 1, a signature for any message of digest uiq, . . . , m'^_^ s.t. 

yi, m[e{m{\j = 0,...,k-l} (1) 

can be signed using the previous signatures. As soon as the signed messages digests differ 
on more that one bit (which occurs with overwhelming probability as soon as k > 2 since 
i ^ 1), it suffices to create new combinations of the differing bits to create digests that 
can be signed and that are different from the original message digest^. 

As we shall see in section 13.11 there are hash-based signature algorithms that are able 
to sign several messages with a unique set of keys. However, in the QKD setting, the 
limitation to one signature is not an issue for two reasons: 

• The algorithm is only used to authenticate the first protocol run of a pair of QKD 
devices; subsequent executions are authenticated normally with a symmetric MAC 
algorithm using some of the common secret produced by the QKD link itself. 

• To enable a recovery when this run was not successful, it is possible to include in the 
signed message a new public key that will be used to authenticate a new execution 
if needed. Additionally, a computational symmetric MAC can be used to check for 
message authenticity before using the Lamport mechanism: this will eliminate most 
failures before resorting to the signature and consuming the Lamport key, while not 
needing to put too much trust in the symmetric key used by the computational MAC 
mechanism. 

^available on-line at 

http : //www. cdc . inf ormatik. tu-daxmstadt .de/~dahinen/papers/h.ashbasedcrypto .pdf 

^for values of fc <C n, it may still be hard to find a message whose digest lies in the set of digests that can be 
signed using the revealed part of the private key, i.e. messages satisfying equation ([T|), but this property holds 
only for very small values of k and cannot be used in practice. 
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2.3 Security Properties 



The security of a slightly simplified Lamport signature scheme is stated in theorem 8.1 of 
|BBD08j . In this simplified scheme, messages are i-hit long and the transformation of a 
message m into its fixed-size digest g{m) is skipped. Therefore only the one-way function 
/ plays a role in the security of the scheme. The stated security result is computational: 
it states there exists no attacker able with probability e to forge a Lamport signature for 
some public Lamport key PK and some new message m after it has obtained a signature 
for 1 message of its choice valid with respect to PK, unless there also exists an attacker 
with the almost same running time and success probability e/M against the underlying 
one-way function. 

One says that, given a one-way function /, the (modified) Lamport signature scheme 
for i-hit messages is {l,e)-existentiaUy unforgeable under an adaptive chosen message 
attack. 

Going back to the unmodified scheme using a collision-resistant function g, it can 
be proven that an attacker (1-adaptive existential forger as above) against the Lamport 
signature scheme cannot have success probability greater than e where there there exists 
an attacker against the one-wayness of / with success probability e'/4£, and another 
attacker that produces a collision for g with probability e" with 



Indeed, if the attacker against the signature scheme produces a forged signature of a mes- 
sage m' m after being given the signature of m, either g{m) ^ g{m') which constitutes 
an attack against the simplified scheme, or g{m) = g{m') and (m, m') is a collision against 
g. Remark that one could have e' = or e" = 0, as long as equation ([2D is satisfied: an 
attacker against one of the two functions yields an attacker against the signature scheme. 
The running time of the attacker against the Lamport signature signature scheme is the 
minimum of the running times of the attackers against / and g. 

Generic (non quantum) attacks against a hash function producing £-hit hashes en- 
able to find collisions in O (2^/^) hash function computations. For a n-bit hash function, 
preimages are found in a generic way in O (2") hash function computations, k-hit classi- 
cal security (i.e. best non-quantum attack in O (2^^) operations) for Lamport signatures 
therefore requires n > k and (. > 2k. Typically we want 128-bit security, which yields 
n > 128 bits and i > 256 bits. 

If quantum generic attacks are taken into account, the picture changes a bit. Finding 
preimages of an n-bit hash function can be performed in O (2*^/^) operations using Grover 
algorithm, and there is a quantum algorithm with complexity O (2^/^) able to find with 
good probability a collision of £-bit hashes |BIIT97j . However it requires a (quantum) 
memory of size O (2^/^) |GR04j . so that we rather include its analysis to the next para- 
graph about parallel methods. With a constant or log amount of memory, the best known 
quantum attacks for n-bit hash preimage and ^-bit hash collision have complexity O (2"/^) 
and O (2^/^), respectively. For fc-bit security, one should therefore choose i,n> 2k. 

Assuming some parallelism, results are again different. With a (classical or quantum, 
computation or memory) resource size of O (2'^), and realistic communication models, the 
best known generic preimage complexity for a n-bit hash function is O (2^'^"^)/^) and 
the best collision attack for a i-hit hash function, O (2^/^^^) |Ber09j . Hence one should 
choose n>2k + fJL and i > 2{k + fi). Assuming k = 128 and /i = 64 (which is an extremely 
large security margin), this gives n > 320 bits and i > 384 bits. 

The complexities above are given for an attacker with success probability one. Going 
back to the e', e" above, the success probability of an attacker using only a fraction rj 
of the resources indicated has a success probability r/^, except for the classical preimage 
search algorithm where the probability scales linearly with the effort. 



e' + e">e 
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2.4 Operation with a Secure Device 



A secure device provides facilities to store data in a confidential and/or authentic way 
and to perform operations using this data. A typical cheap secure device is a smart card. 
It has a limited computational power, but is designed to store keys securely and enable 
to operate some cryptographic algorithms making use of these keys, typically a hashing 
algorithm (usually SHAl or SHA2) and a block cipher algorithm (3DES or AES). More 
powerful secure devices ('Hardware Security Modules') can sit in computers but usually 
offer security assurances lower than smart cards. 

The right way to implement a public-key algorithm such as Lamport is to never let 
private keys go out of secure devices. Therefore each secure device, at each end of the QKD 
link, generates its own private key and discloses the corresponding public key. During a 
trusted initialization phase, each device then receives the public key of the other device, 
or some digest of it, enabling it to later authenticate the signature of the other party. 

Both the collision-resistant function and the preimage-resistant function are imple- 
mented with the hash function provided by the secure device. 

Since the first step in computing a signature (applying g) does not involve the private 
key, and results into a small-fixed-length string, this step can be performed outside the 
secure device. The hash is then provided to the secure device. With notations of section 
12.11 the latter then picks the values a;o[?Tio], xi [mi], . . . , X£_.i[m^„i] corresponding to the 
digest mo, . . . , m£ provided. 

To ensure a correct usage of the algorithm as well as to effectively protect the private 
key, the sequencing of the instructions to the secure device should prevent multiple signing 
with the same private key. For instance, if the values Xj[mj] are output successively by 
the secure device, as it is the case with a smart card that cannot output the signature 
all-at-once, the private key should be erased as soon as the last signature part is output, 
or even better, Xi [1 — mi] can be erased as soon as rrii is known by the secure device. 



2.5 Private and Public Key Size 

An issue with the Lamport algorithm is its large key size: for instance, for i = 256 and 
n = 128, the public key size is 2 x 256 x 128 = 64Kb. With the more conservative 
parameters of paragraph 12. 3t the size becomes 2 x 384 x 320 = 240Kb. Such a key cannot 
be stored on most smart cards. 

A standard way to overcome this is to generate the private key from a pseudo-random 
number generator (PRNG) and to store only the secret s of the PRNG; it is then possible 
to compute the public and the private key on-the-fly. The public key and signature are 
then computed and output piece by piece, typically one hash at a time. 

Security wise, using this construction requires to take into account the PRNG security. 
It is measured by the success probability pprng of an attacker that is presented with either 
a true random sequence or an output of the PRNG and must distinguish between the two 
cases. With epRNG = |2 x pprng — 1|) the bound on the success probability of an attacker 
against the signature scheme using the PRNG becomef^ 

e' + e" + epRNG > e (3) 

The generic distinguishing attack consists in finding whether there is a value s that 
enables to reproduce the output sequence. This is similar to the preimage attacks we 
discussed in paragraph 12.31 and the bounds given for n apply for the size of s. Secure 

^"The increase of the success probability of an attacker against the signature scheme caused by the usage of 
a PRNG can be used to distinguish between the PRNG and true random numbers: random numbers either 
produced by the PRNG or truly random are used as a Lamport private key, then the attacker is run. Numbers 
are assumed to come from the PRNG iff the attacker manages to produce a forged signature. This way, an 
forger more efficient in the PRNG case is used to create a PRNG distinguisher. 



6 



PRNG constructions using hashing and satisfying these size constraints exist (see for 
instance the annex of |FIP09j ). 



3 Variants 

3.1 Enabling Multiple Signatures: Merkle trees 

Lamport signatures, or, for the matter, any one-time signature (OTS) scheme, can be 
paired with Merle trees, which are a construction using only preimage-resistant functions 
and enabhng the authentication of a large family of public signature keys with only one 
short value. We will omit a complete description of Merkle trees, which is detailed for 
instance in |BBD08j . but will only describe their role and associated cost. 

A Merkle tree of depth H uses a collision-resistant function T : {0, 1}* {0, 1}*, and 
enables to perform 2^ signatures. The tree 'public key' is a t-bit value. 

Each message signature consists in a signature by the underlying one-time signature 
scheme, with some added information value enabling to authenticate the OTS public key. 
This added information consists in H t-bit values. The signature verification, aside from 
the underlying OTS signature verification, requires H computations of T. 

The signature algorithm calls the underlying OTS algorithm once and requires addi- 
tionally O (H) computations of T and the storage of O {H) values of T. 

Initially, 2^ OTS public-private key pairs must be generated. This is usually too large 
to store; instead, a PRNG can be used, with ideas similar to those of paragraph 12.51 the 
computation of the tree public key requires 2^ — 1 computations of T and uses the 2^ 
underlying OTS public keys, which are themselves computed in the case of the Lamport 
algorithm through 2^ calls to /. 

The success probability of an attacker against this scheme, attempting to forge a 
signature after requesting at most 2^ signatures, is bounded by 2^ ears + ^CR where 
^OTS is the success probability of an attacker against the underlying OTS scheme, and 
€cR the success probability of an attacker against the collision resistance of T. The output 
size t of T should therefore be chosen as £ for the Lamport signature scheme. For a proof 
of this result and more discussion on the attackers running times, see theorem 8.2 of 
[BBDOSj . 

In the usage context of quantum key distribution, the typical instantiation of Merkle 
trees would use a rather small parameter H (say H < 10) to avoid sending a new public 
key in each signature, while retaining a small signature and verification overhead (this is 
especially true on the verification side where the Lamport verification step already requires 
i hash computations). This also ensures the provable security loss factor incurred, 2^ , is 
small. 

3.2 Combination with Unconditional Methods 

It is always possible to combine a computational signature mechanism with an uncondi- 
tional MAC scheme: then the signature scheme is seen as a failsafe in case of a compromise 
of the common secret. Of course, this combination is computationally costly since it re- 
quires to process the messages to be authenticated once for each scheme. 

4 Conclusion 

We have seen that provided some minimal hypotheses are fulfilled, namely the existence of 
preimage-resistant and collision-resistant functions, some signatures schemes well known 
in classical cryptography are secure and can be used to authenticate communications on a 
classical channel without any common secret, and thereby to bootstrap key production on 
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a quantum key distribution link. In practical scenarios, collision- resistant and preimage- 
resistant functions are instantiated with a cryptographic hash function. We contend that 
the security gained by the removal of the initial common secret far outweights the loss 
caused by the dependence to the preimage and collision resistance of the hash function 
used, notably since these properties are required to hold only until the initial QKD pro- 
tocol run finishes, and not as long as the keys produced by the QKD link are supposed to 
remain secret. 

We believe that there are other ways to use properties related to one-wayness, like 
pseudo-randomness, to improve the practicality and/or security of QKD protocols, with- 
out sacrificing its most fundamental property, the forward secrecy. 
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